08e8d462fe
RED PILL 🔴 💊
62 lines
3.5 KiB
Text
62 lines
3.5 KiB
Text
/*
|
|
Yara Rule Set
|
|
Author: Florian Roth
|
|
Date: 2018-04-24
|
|
Identifier: Sednit Delphi Downloader
|
|
Reference: https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/
|
|
*/
|
|
|
|
/* Rule Set ----------------------------------------------------------------- */
|
|
|
|
rule MAL_Sednit_DelphiDownloader_Apr18_2 {
|
|
meta:
|
|
description = "Detects malware from Sednit Delphi Downloader report"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/"
|
|
date = "2018-04-24"
|
|
hash1 = "53aef1e8b281a00dea41387a24664655986b58d61d39cfbde7e58d8c2ca3efda"
|
|
hash2 = "657c83297cfcc5809e89098adf69c206df95aee77bfc1292898bbbe1c44c9dc4"
|
|
hash3 = "5427ecf4fa37e05a4fbab8a31436f2e94283a832b4e60a3475182001b9739182"
|
|
hash4 = "0458317893575568681c86b83e7f9c916540f0f58073b386d4419517c57dcb8f"
|
|
hash5 = "72aa4905598c9fb5a1e3222ba8daa3efb52bbff09d89603ab0911e43e15201f3"
|
|
id = "6ccd2f21-de44-52fb-912e-d3ecbe57e389"
|
|
strings:
|
|
$s1 = "2D444F574E4C4F41445F53544152542D" ascii /* hex encoded string '-DOWNLOAD_START-' */
|
|
$s2 = "55504C4F41445F414E445F455845435554455F46494C45" ascii /* hex encoded string 'UPLOAD_AND_EXECUTE_FILE' */
|
|
$s3 = "4D6F7A696C6C612076352E31202857696E646F7773204E5420362E313B2072763A362E302E3129204765636B6F2F32303130303130312046697265666F782F36" ascii /* hex encoded string 'Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1' */
|
|
$s4 = "41646F62654461696C79557064617465" ascii /* hex encoded string 'AdobeDailyUpdate' */
|
|
$s5 = "53595354454D494E464F2026205441534B4C495354" ascii /* hex encoded string 'SYSTEMINFO & TASKLIST' */
|
|
$s6 = "6373727376632E657865" ascii /* hex encoded string 'csrsvc.exe' */
|
|
$s7 = "536F6674776172655C4D6963726F736F66745C57696E646F77735C43757272656E7456657273696F6E5C52756E" ascii /* hex encoded string 'Software\Microsoft\Windows\CurrentVersion\Run' */
|
|
$s8 = "5C536F6674776172655C4D6963726F736F66745C57696E646F7773204E545C43757272656E7456657273696F6E" ascii /* hex encoded string '\Software\Microsoft\Windows NT\CurrentVersion' */
|
|
$s9 = "5C536F6674776172655C4D6963726F736F66745C57696E646F77735C43757272656E7456657273696F6E" ascii /* hex encoded string '\Software\Microsoft\Windows\CurrentVersion' */
|
|
$s0 = "2D444F574E4C4F41445F53544152542D" ascii /* hex encoded string '-DOWNLOAD_START-' */
|
|
|
|
$fp1 = "<key name=\"profiles\">"
|
|
condition:
|
|
filesize < 4000KB and 1 of ($s*) and not 1 of ($fp*)
|
|
}
|
|
|
|
rule MAL_Sednit_DelphiDownloader_Apr18_3 {
|
|
meta:
|
|
description = "Detects malware from Sednit Delphi Downloader report"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/"
|
|
date = "2018-04-24"
|
|
modified = "2023-01-06"
|
|
hash1 = "ecb835d03060db1ea3496ceca2d79d7c4c6c671c9907e0b0e73bf8d3371fa931"
|
|
hash2 = "e355a327479dcc4e71a38f70450af02411125c5f101ba262e8df99f9f0fef7b6"
|
|
id = "2200fbdc-3600-51d4-a273-dc7fd4127c05"
|
|
strings:
|
|
$ = "Processor Level: " fullword ascii
|
|
$ = "CONNECTION ERROR" fullword ascii
|
|
$ = "FILE_EXECUTE_AND_KILL_MYSELF" ascii
|
|
$ = "-KILL_PROCESS-" ascii
|
|
$ = "-FILE_EXECUTE-" ascii
|
|
$ = "-DOWNLOAD_ERROR-" ascii
|
|
$ = "CMD_EXECUTE" fullword ascii
|
|
$ = "\\Interface\\Office\\{31E12FE8-937F-1E32-871D-B1C9AOEF4D4}\\" ascii
|
|
$ = "Mozilla/3.0 (compatible; Indy Library)" fullword ascii
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 2000KB and 3 of them
|
|
}
|